A vulnerability in Mitsubishi Electric’s MELSEC-Q Series Ethernet Module could allow a remote attacker to gain escalated privileges, according to an ICS-CERT advisory.
Reported by Nozomi Networks, the vulnerability “could allow an attacker to render the PLCs statue in fault mode, requiring a cold restart for recovering the system and/or doing privilege escalation or executive arbitrary code in the context of the affected system of the workstation engineering software,” said Nozomi Networks co-founder and CTO Moreno Carullo.
On May 21, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an ICS-CERT Advisory (ICSA-19-141-0s), noting that the vulnerability in uncontrolled resource consumption was exploitable remotely and required a low skill level to exploit.
“Organizations that may be potentially impacted can implement the following National Cybersecurity and Communications Integration Center (NCCIC) mitigations: Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet,” Carullo said.
“Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may also have vulnerabilities and should be updated to the most current versions available. Also recognize that VPN is only as secure as the connected devices.”
Mitsubishi Electric has issued a firmware patch and recommends operating the affected device behind a firewall.
NCCIC encourages users to take defensive measures to minimize the risk of exploitation of this vulnerability, noting that users should:
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- Use secure methods when remote access is required, such as VPNs, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available and that a VPN is only as secure as the connected devices.